hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Software and Control Panels : Latest Zamfoo version sends your ROOT PASSWORD by e-mail back to them!
Reply

Forum Jump

Latest Zamfoo version sends your ROOT PASSWORD by e-mail back to them!

Reply Post New Thread In Hosting Software and Control Panels Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 06-25-2009, 02:18 PM
SamCD SamCD is offline
Web Hosting Guru
 
Join Date: May 2007
Location: Chester, UK
Posts: 271
Exclamation

Latest Zamfoo version sends your ROOT PASSWORD by e-mail back to them!


From a thread I've just seen over at DigitalPoint:

http://forums.digitalpoint.com/showthread.php?t=1392703


Quote:
First of all, What I am going to disclose here is not a fake statement.
I am also the user of Zamfoo and like this script spacially support of Zamfoo.
But I found that every time when you run zamfoo upgrade, Zamfoo decode the server root password and send that password to support@zamfoo.com.
See below email,

Code:
version 3.1 license: xxxxxxxxxxxxxxx

 debugger: Summary of my perl5 (revision 5 version 8 subversion 8) configuration:

 Platform:

   osname=linux, osvers=2.6.18-128.1.1.el5.028stab062.3, archname=i686-linux

   uname='linux Serverhost name 2.6.18-128.1.1.el5.028stab062.3 #1 smp sun may 10 18:54:51 msd 2009 i686 i686 i386 gnulinux '

   config_args='-ds -e -Dprefix=/usr/local -Doptimize=-Os -Duseshrplib -Dusemymalloc=y'

   hint=recommended, useposix=true, d_sigaction=define

   usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=undef

   useperlio=define d_sfio=undef uselargefiles=define usesocks=undef

   use64bitint=undef use64bitall=undef uselongdouble=undef

   usemymalloc=y, bincompat5005=undef

 Compiler:

   cc='cc', ccflags ='-fno-strict-aliasing -pipe -Wdeclaration-after-statement -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm',

   optimize='-Os',

   cppflags='-fno-strict-aliasing -pipe -Wdeclaration-after-statement -I/usr/local/include -I/usr/include/gdbm'

   ccversion='', gccversion='4.1.2 20080704 (Red Hat 4.1.2-44)', gccosandvers=''

   intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234

   d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12

   ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8

   alignbytes=4, prototype=define

 Linker and Libraries:

   ld='cc', ldflags =' -L/usr/local/lib'

   libpth=/usr/local/lib /lib /usr/lib

   libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc

   perllibs=-lnsl -ldl -lm -lcrypt -lutil -lc

   libc=/lib/libc-2.5.so, so=so, useshrplib=true, libperl=libperl.so

   gnulibc_version='2.5'

 Dynamic Linking:

   dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E -Wl,-rpath,/usr/local/lib/perl5/5.8.8/i686-linux/CORE'

   cccdlflags='-fpic', lddlflags='-shared -L/usr/local/lib'

 

 

Characteristics of this binary (from libperl):

 Compile-time options: MYMALLOC PERL_MALLOC_WRAP USE_LARGE_FILES

                       USE_PERLIO

 Built under linux

 Compiled at Jun  3 2009 02:53:21

 @INC:

   /usr/local/lib/perl5/5.8.8/i686-linux

   /usr/local/lib/perl5/5.8.8

   /usr/local/lib/perl5/site_perl/5.8.8/i686-linux

   /usr/local/lib/perl5/site_perl/5.8.8

   /usr/local/lib/perl5/site_perl

   .

 

 querystring: license=YouZamfooLicenseDetail

 compare:

 capture: read_license,pathtranslated,php_exec_curl,parse xml,parseurl,

 capture2: PATH=/usr/local/jdk/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/lib/courier-imap/sbin:/usr/lib/courier-imap/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/usr/local/bin:/usr/X11R6/bin:/root/bin:/opt/bin

DOCUMENT_ROOT=/usr/local/cpanel/base

SERVER_SOFTWARE=cpaneld

CPANEL=active

SERVER_PORT=2086

SERVER_PROTOCOL=HTTP/1.1

GATEWAY_INTERFACE=CGI/1.1

DNS=yourdomain.com

REMOTE_HOST=212.116.219.101

REMOTE_ADDR=212.116.219.101

REMOTE_PORT=38184

SERVER_ADDR=YourServerMainIP

REQUEST_METHOD=GET

CONTENT_LENGTH=

QUERY_STRING=

ACCEPT_ENCODING=gzip,deflate

TRANSFER_ENCODING=

REQUEST_URI=/cgi/zamfoo/zamfoo_b9_toolset.cgi

SCRIPT_URI=/cgi/zamfoo/zamfoo_b9_toolset.cgi

HTTP_X_FORWARDED_FOR=xxxxxxxx

HTTP_USER_AGENT=Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11

HTTP_REFERER=http://xxxxxxxxxxxxx:2086/cgi/zamfoo/zamfoo_landing_root.cgi

CONTENT_TYPE=

HTTP_COOKIE=logintheme=cpanel; whostmgrrelogin=no; whostmgrsession=closed

HTTP_ACCEPT_CHARSET=ISO-8859-1,utf-8;q=0.7,*;q=0.7

HTTP_ACCEPT_ENCODING=gzip,deflate

HTTP_ACCEPT_LANGUAGE=en-us,en;q=0.5

HTTP_ACCEPT=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

HTTP_HOST=ServerMainIP

SERVER_NAME=ServerMainIP

SUBID=

UPLINK=

REMOTE_USER=root

REMOTE_PASSWORD=xxxxxxxxxxx

SCRIPT_NAME=/cgi/zamfoo/zamfoo_b9_toolset.cgi

SCRIPT_FILENAME=/usr/local/cpanel/whostmgr/docroot/cgi/zamfoo/zamfoo_b9_toolset.cgi

REDIRECT_STATUS=1
I have change and bold the my server detail.

How can you test in your server?

I don't know its work for you or not but try it.
Create a cPanel account with domain zamfoo.com
then create a email Id in this account via cPanel support@zamfoo.com

now run upgrade via Zamfoo >> B9 Tool Set - BETA >> check Update ZamFoo
and click do it

After that check email of support@zamfoo.com
You will see the email above.

Method 2:
Block all out going email then check Mail Queue Manager under root WHM after upgrade Zamfoo you will see this email.

----

This certainly does seem worrying for a piece of hosting software, it has been confirmed by the producer of the script later on in the thread and they're working on a patch . . . they said it was put in by accident.

I don't use the software personally, never will touch anything to do with master reseller. I thought I'd post a thread here since there isn't one currently.

__________________
ClanDrive Hosting | The No Fuss Webhost
Shared & Reseller * Seattle - West Coast * LiteSpeed * cPanel * Fantastico * R1Soft * &More *
Dedicated * Seattle - West Coast * 1-Minute Monitoring *
VPS * NY - East Coast * OpenVZ *



Sponsored Links
  #2  
Old 06-25-2009, 03:11 PM
SA-ChrisM SA-ChrisM is offline
Junior Guru
 
Join Date: Mar 2009
Location: Chicago, IL
Posts: 219
Wow. And I thought only rootkits did that. As a side note, they don't even have a website up now, heh.

  #3  
Old 06-25-2009, 03:20 PM
LH-Danny LH-Danny is offline
Web Hosting Evangelist
 
Join Date: Feb 2008
Location: United Kingdom
Posts: 458
Their website tries to download something to my hard drive.

Sponsored Links
  #4  
Old 06-25-2009, 04:30 PM
hostydotnet hostydotnet is offline
Junior Guru
 
Join Date: Mar 2008
Location: hunterdon county NJ
Posts: 196
hi,

the website was down while php was being recompiled. the site is backup. i will answer any and all questions pertaining to this. and regularly update both DP and here pertaining to this. i was just notified of this thread. the thread on DP contains at this point a better and full explanation as to how this occurred and what is being done about it.

thanks,
kevin

__________________
<<Please see rules for signature setup.>>

  #5  
Old 06-25-2009, 05:00 PM
hostydotnet hostydotnet is offline
Junior Guru
 
Join Date: Mar 2008
Location: hunterdon county NJ
Posts: 196
hi,

there is now a patch available through the update function. an email to all clients has been queue for seding. please run the update function. verifty that the version has changed to version 3.4

after sucessfull update then immediately change your password. we encourage you to retest and ensure that this gap is fully closed.

thanks,
kevin

__________________
<<Please see rules for signature setup.>>

  #6  
Old 06-25-2009, 06:50 PM
hostydotnet hostydotnet is offline
Junior Guru
 
Join Date: Mar 2008
Location: hunterdon county NJ
Posts: 196
to all WHT people: please also read the DP posts as it may contain information not posted here.


hi,

i feel and hope that this matter is now closed. i am providing for public record the email that has been sent to every client regarding this matter

email
------

hi,

we regret to inform everyone that a mistake was made when releasing version 3.3

we did not remove a piece of debugging code from our script. the debugging code, unbeknownst to us was mailing us root credentials in plain text. this has been pointed out on some forums this morning.

we are terribly sorry that this has occurred. earlier today we release an initial patch. we now have a full patch available which can be run through the easy updater.

we understand the full severity of this mishap and hope that you continue to trust our software, support and intention of not causing harm to your business, your systems or anyone elses systems through your servers.

full explanations, ways to replicate the problem and see it first hand, an explanation on how and why this piece of code was in the software can be found on the forums.digitalpoint.com and webhostingtalk.com websites as well as the method to verify in the future that this doesn't occur.


please do the following IMMEDIATELY:
--------------------------------------------

run the update script from b9 toolset
then verify that you are running version 3.4 from the footer of the root reseller screen
then change your root password


we will not confirm on an individual server, client or license basis that the problem has been corrected but will ask the clients and people who have reported the problem to publicly that the problem has been corrected.


we value your business greatly and cherrish our good standing reputation. we can only hope that this blemish doesn't permanantly impact the view of how good or how secure the software is.


sincerest apollogies,
kevin

__________________
<<Please see rules for signature setup.>>

  #7  
Old 06-30-2009, 09:30 AM
10gbus 10gbus is offline
WHT Addict
 
Join Date: May 2009
Posts: 149
Hi
Both whmreseller and zamfoo were caught for sending our root password because both are running inside the server as executable files.

Another one is WHMPHP which is I believe, the safest one in the market regarding the server security. Since it is of PHP and communicating directly with the cPanel ( direct quote from the author ) it can not send out root passwords from the server.

CGI programs can collect environment variables and thus send our root passwords. Such a backdoor is zamfoo. Thumbs down

  #8  
Old 06-30-2009, 09:47 AM
hostydotnet hostydotnet is offline
Junior Guru
 
Join Date: Mar 2008
Location: hunterdon county NJ
Posts: 196
hi,

as i stated. it was an accidental oversite in version 3.3 release. a patch was issued within 1 hour.

php and mysql are much more vulnerable to cross site scripting and remote file injection. these are big issues. if you use whmphp for multiple servers then you are vulnerable to not just one machine...but all of them.

im not putting down whmphp but there are draw backs to their software as well. additionally php can similiarly grab environment variables.

kevin

__________________
<<Please see rules for signature setup.>>


Last edited by hostydotnet; 06-30-2009 at 09:55 AM.
  #9  
Old 06-30-2009, 10:02 AM
10gbus 10gbus is offline
WHT Addict
 
Join Date: May 2009
Posts: 149
Quote:
Originally Posted by hostydotnet View Post
hi,

as i stated. it was an accidental oversite in version 3.3 release. a patch was issued within 1 hour.

php and mysql are much more vulnerable to cross site scripting and remote file injection. these are big issues. if you use whmphp for multiple servers then you are vulnerable to not just one machine...but all of them.

im not putting down whmphp but there are draw backs to their software as well. additionally php can similiarly grab environment variables.

kevin

Hm.. I believe you are not aware of php.
PHP can not collect dangerous information such as server root password, like what you did with your script.

file and sql injection , a good php developer can overcome it and I haven't heard any single bad comment about whmphp. My friend is using it on his server and we both have nothing to say other than its just great.

I have checked your script as well, well, it really ***ks! IMO. Plus today I heard the news as well, that it collects server root password same as whmreseller as proved by coolstfuff on DP

  #10  
Old 06-30-2009, 10:10 AM
hostydotnet hostydotnet is offline
Junior Guru
 
Join Date: Mar 2008
Location: hunterdon county NJ
Posts: 196
hi,

it does not collect root passwords. you can verify this. additionally php has the availability to contain cgi code and use cgi libraries so the claim that this is not possible is entirely.....unintelligent.

kevin

__________________
<<Please see rules for signature setup.>>


Last edited by hostydotnet; 06-30-2009 at 10:17 AM.
  #11  
Old 06-30-2009, 10:22 AM
10gbus 10gbus is offline
WHT Addict
 
Join Date: May 2009
Posts: 149
Quote:
Originally Posted by hostydotnet View Post
hi,

it does not collect root passwords. you can verify this. additionally php has the availability to contain cgi code and use cgi libraries so the claim that this is not possible is entirely.....unintelligent.

kevin
Can you elaborate these sentence ?
It does not collect ? which one ? zamfoo ? well , it was already proved that zamfoo collects root pass and send it to support@zamfoo.com for you

  #12  
Old 06-30-2009, 10:29 AM
hostydotnet hostydotnet is offline
Junior Guru
 
Join Date: Mar 2008
Location: hunterdon county NJ
Posts: 196
hi,

zamfoo does not collect root passwords, v3.3 was the only piece that had the debugging code in it. it was removed within the hour. you can verify it does not do what you are claiming to be the case. download the latest version, install it and do what they are telling you to do. you will see no passwords are sent.

kevin

__________________
<<Please see rules for signature setup.>>

  #13  
Old 06-30-2009, 10:30 AM
10gbus 10gbus is offline
WHT Addict
 
Join Date: May 2009
Posts: 149
Quote:
Originally Posted by hostydotnet View Post
hi,

zamfoo does not collect root passwords, v3.3 was the only piece that had the debugging code in it. it was removed within the hour. you can verify it does not do what you are claiming to be the case. download the latest version, install it and do what they are telling you to do. you will see no passwords are sent.

kevin
Since the codes are encrypted, there is no way to verify it.

Well, you seems like a little kid who is playing with me by arguing

  #14  
Old 06-30-2009, 10:36 AM
hostydotnet hostydotnet is offline
Junior Guru
 
Join Date: Mar 2008
Location: hunterdon county NJ
Posts: 196
Quote:
Originally Posted by 10gbUS View Post
Since the codes are encrypted, there is no way to verify it.

Well, you seems like a little kid who is playing with me by arguing
im not arguing with you. you clearly do not know what you are talking about. im attempting to clarify your misconception.

yes it can be verified. without giving my source code away.
there are posts on how to verify the software is not sending root passwords.

did you read this full thread which i clearly point to and say how to verify that the debugging code has been removed or just post blindly to it about whmphp as a plug for the whmphp script?

__________________
<<Please see rules for signature setup.>>

  #15  
Old 06-30-2009, 01:44 PM
sharmaine1111 sharmaine1111 is offline
Web Hosting Master
 
Join Date: Sep 2007
Posts: 815
I think he is not plugging whmphp. he was stating the fact that your script is collecting passwords. by stating that, its unavoidable to compare you to other master script providers. dont get too defensive just because someone pointed out a fact. you may have already patched it but you cant deny that you have already collected root password before you were able to patch it. That means all your clients had to change root password just to ensure that zamfoo will not be a like rootkits

__________________
All things work together for the good of those who love God - Romans 8:28

Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
some of the mail my server sends get bounced.. henningl Hosting Security and Technology 5 09-26-2005 04:57 AM
Mail sends from webmail but not outlook junglecat Hosting Security and Technology 6 09-08-2005 11:02 AM
Installed Version > Latest Version? Alex042 Hosting Software and Control Panels 0 09-19-2003 09:07 AM
E-mail then sends text? ViS Web Hosting Lounge 1 05-13-2003 01:25 AM
Someone sends Virus to my E-mail sHosts Running a Web Hosting Business 6 07-17-2002 08:58 AM

Related posts from TheWhir.com
Title Type Date Posted
Flexiant Launches Cloud Orchestrator Version 4, Plans OpenStack Support Web Hosting News 2013-11-04 14:09:12
WHMCS Releases Version 5.2 of Web Hosting Billing Solution Web Hosting News 2013-04-14 22:35:37
SSHD Rootkit in the Wild Blog 2013-02-22 16:44:08
cPanel Security Updates Address Perl Module Vulnerabilities Web Hosting News 2012-12-06 12:55:54
Cloud File Sharing Software ownCloud Launches Beta of Updated Community Version Web Hosting News 2012-09-04 17:09:04


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?